Configuring Session Persistence (Stickiness)

Session persistence (or stickiness) refers to the functionality of sending multiple (simultaneous or subsequent) connections from the same client consistently to the same server. This is a typical requirement in certain load balancing environments.

The problem originates from the fact that complete application transactions (think of the act of browsing a web site, selecting various items for purchase, then checking out) typically require multiple ¯ sometimes hundreds or thousands ¯ simultaneous or subsequent connections. Most of these transactions generate and require temporary critical information. This information is stored and modified on the specific server that is handling the transaction. For the entire duration of the transaction which may take from minutes to hours, the client has to be consistently sent to the same server.

Multi-tier designs with a back-end shared data-base partially remove the problem, but a good stickiness solution improves the performance of the application, by relying on the local server cache. Using the local server cache removes the requirement to connect to the data-base and fetch the transaction specific information each time that a new server is selected.

How to uniquely identify a client across multiple connections constitutes the most difficult part of the stickiness problem. Whatever might be the key information used to recognize and identify a client, the load balancing device must store that information and associate it with the server that is currently processing the transaction.

Note The CSM can maintain a sticky database of 256.000 entries.

The CSM can uniquely identify the clients and perform stickiness with the following methods:

•Source IP address stickiness

The CSM can be configured to learn the entire source IP address (with a netmask of 32 bits), or just a portion of it.

•SSL identification stickiness

When client and servers are communicating over SSL, they maintain a unique SSL Identification number across multiple connections. SSL version 3.0 or TLS 1.0 specify that this identification number must be carried in clear text. The CSM can use this value to identify a specific transaction. However, because this SSL ID can be renegotiated it is not always possible to preserve stickiness to the correct server. SSL ID based stickiness is used to improve performance of SSL termination devices by consistently allowing SSL ID re-use.

Note When the CSM is used in conjunction with the Catalyst 6500 SSL Module, SSL ID stickiness across SSL ID renegotiation is possible, since each Catalyst 6500 SSL Module inserts its MAC address within the SSL ID, at a specific offset. This is configured through the ssl-sticky command under the virtual server configuration submode.

Refer to the Catalyst 6500 Series Switch Content Switching Module Command Reference for information about the ssl-sticky command.

•Dynamic cookie learning

The CSM can be configured to look for a specific cookie name and automatically learn its value either from the client request HTTP header or from the server "set cookie" message.

By default the entire cookie value is learned by the CSM, however this feature has been enhanced in CSM software release 4.1.(1) by introducing an optional offset and length, to instruct the CSM to only learn a portion of the cookie value. See the "Cookie Sticky Offset and Length" section.

Dynamic cookie learning is useful when dealing with applications like J2EE applications that store more than just the session ID or user ID within the same cookie. Only very specific bytes of the cookie value are relevant to stickiness.

CSM software release 4.1(1) also improves the dynamic cookie stickiness feature by adding the capability to search for (and eventually learn or stick to) the cookie information as part of the URL See the "URL-Learn" section URL learning is also useful with J2EE or other types of applications that insert cookie information as part of the HTTP URL. In some cases this feature can be used to work around clients that reject cookies.

•Cookie insert

The CSM inserts the cookie on behalf of the server, so that cookie sticky can be performed even when the servers are not configured to set cookies. The cookie contains information that the CSM uses to ensure persistence to a specific real server.

Configuring Sticky Groups

Configuring a sticky group involves configuring the sticky method (source IP, SSL ID, cookie) and parameters of that group and associating it with a policy. The sticky timeout specifies the period of time that the sticky information is kept in the sticky tables. The default sticky timeout value is 1440 minutes (24 hours). The sticky timer for a specific entry is reset every time that a new connection matching that entry is opened

Note Multiple policies or virtual servers potentially can be configured with the same sticky group. In that case, the stickiness behavior applies to all connections to any of those policies or virtual servers. These connections are also referred to as "buddy connections," because a client stuck to server A through policy or virtual server 1 also will be stuck to the same server A through policy or virtual server 2, if both policy or virtual server 1 and 2 are configured with the same sticky group.

Warning When using the same sticky group under multiple policies or virtual servers, it is very important to make sure that all are using the same exact server farm, or a different server farm with the same exact servers in it.

This example shows how to configure a sticky group and associate it with a policy:

Router(config-module-csm)# sticky1cookiefootimeout100

Router(config-module-csm)# serverfarmpl_stick

Router(config-slb-sfarm)# real 10.8.0.18

Router(config-slb-real)# inservice

Router(config-slb-sfarm)# real 10.8.0.19

Router(config-slb-real)# inservice

Router(config-slb-real)# exit

Router(config-slb-sfarm)# exit

Router(config-module-csm)# policypolicy_sticky_ck

Router(config-slb-policy)# serverfarmpl_stick

Router(config-slb-policy)# sticky-group1

Router(config-slb-policy)# exit

Router(config-module-csm)# vservervs_sticky_ck

Router(config-slb-vserver)# virtual 10.8.0.125 tcp 90

Router(config-slb-vserver)# slb-policypolicy_sticky_ck

Router(config-slb-vserver)# inservice

Router(config-slb-vserver)# exit

Cookie Insert

Use cookie insert when you want to use a session cookie for persistence if the server is not currently setting the appropriate cookie. With this feature enabled, the CSM inserts the cookie in the response to the server from the client. The CSM then inserts a cookie in traffic flows from a server to the client.

This example shows how to specify a cookie for persistence:

Cat6k-2(config-module-csm)# sticky 5 cookie mycookie insert

Cookie Sticky Offset and Length

The cookie value may change with only a portion remaining constant throughout a transaction between the client and a server. The constant portion may be used to make persistent connections back to a specific server. To stick or maintain the persistence of that connection, you can specify the portion of the cookie that remains constant with the offset and length values of a cookie in the cookie offsetnum [lengthnum] command.

You specify the offset in bytes, counting from the first byte of the cookie value and the length (also in bytes) which specifies the portion of the cookie that you are using to maintain the sticky connection. These values are stored in the sticky tables.

The offset and length can vary from 0 to 4000 bytes. If the cookie value is longer than the offset but shorter than the offset plus the length of the cookie, the CSM will stick the connection based on that portion of the cookie after the offset.

This example shows how to specify set the cookie offset and length:

Cat6k-1# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Cat6k-1(config)# module csm 4

Cat6k-1(config-module-csm)# sticky 20 cookie SESSION_ID

Cat(config-slb-sticky-cookie)# cookie offset 10 length 6

URL-Learn

The URL-learn cookie sticky feature allows the CSM to capture the session information of the set-cookie field or cookies embedded in URLs. The CSM creates a sticky table entry based on the value of a specified cookie embedded in the set-cookie HTTP header of the server's response.

When URL-learn is configured the CSM can learn the cookie value in 3 different ways:

•Set cookie message in the server to client direction

•Cookie carried in a client request

•Cookie value embedded in the URL

The first two bulleted behaviors are already supported by the standard dynamic cookie learning feature, and the last behavior is added with the URL-learn feature.

In most cases, the client then returns the same cookie value in a subsequent HTTP request. The CSM sticks the client to the same server based on that matching value. Some clients, however, disable cookies in their browser making this type of cookie sticky connection impossible. With the new URL cookie learn feature, the CSM can extract the cookie name and value embedded in the URL string. This feature only works if the server has embedded the cookie into the URL link in the web page.

If the client's request does not carry a cookie, the CSM looks for the session ID string (?session-id=) configured on the CSM. The value associated with this string is the session ID number that the CSM looks for in the cache. The session ID is matched with the server where the requested information is located and the client's request is sent.

Because the session cookie and the URL session ID may be different, the Cisco IOS stickyidcookiename command was updated. The example in this section shows the correct syntax.

Depending on client and server behavior and the sequence of frames, the same cookie value may appear in the standard HTTP cookies appearing in HTTP cookie, set-cookie headers, or cookies embedded in URLs. The name of a cookie may be different from the URL depending on whether the cookie is embedded in a URL or appears in an HTTP cookie header. The use of a different name for the cookie and the URL occurs because these two parameters are configurable on the server and are very often set differently. For example, the set-cookie name might be this:

Set-Cookie: session_cookie = 123

The URL might be this:

http://www.example.com/?session-id=123

The name field in the sticky command specifies the cookie name that appears in the cookie headers. The secondarysession_id clause added to this command specifies the corresponding cookie name that appears in the URL.

This example shows how to configure the URL learning feature:

Cat6k-1# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Cat6k-1(config)# module csm 4

Cat6k-1(config-module-csm)# sticky 30 cookiesession_cookie

Cat(config-slb-sticky-cookie)# cookie secondarysession-id

Cat(config-slb-sticky-cookie)#

Configuring Route Health Injection

These sections describe how to configure route health injection (RHI):

RHI Overview

RHI allows the CSM to advertise the availability of a VIP address throughout the network. Multiple CSM devices with identical VIP addresses and services can exist throughout the network. One CSM can override the server load-balancing services over the other devices if the services are no longer available on the other devices. One CSM also can provide the services because it is logically closer to the client systems than other server load-balancing devices.

Note RHI is restricted to intranets because the CSM advertises the VIP address as a host route and most routers do not propagate the host-route information to the Internet.

Note RHI is normally restricted to intranets; for security reasons, most routers do not propagate host-route information to the Internet.

Routing to VIP Addresses Without RHI

Without RHI, traffic reaches the VIP address by following a route to the client VLAN to which the VIP address belongs. When the CSM powers on, the MSFC creates routes to client VLANs in its routing table and shares this route information with other routers. To reach the VIP, the client systems rely on the router to send the requests to the network subnet address where the individual VIP address lives.

If the subnet or segment is reachable but the virtual servers on the CSM at this location are not operating, the requests fail. Other CSM devices can be at different locations. However, the routers only send the requests based on the logical distance to the subnet.

Without RHI, traffic is sent to the VIP address without any verification that the VIP address is available. The real servers attached to the VIP might not be active.

Note By default, the CSM will not advertise the configured VIP addresses.

Routing to VIP Addresses with RHI

With RHI, the CSM sends advertisements to the MSFC when VIP addresses become available and withdraws advertisements for VIP addresses that are no longer available. The router looks in the routing table to find the path information it needs to send the request from the client to the VIP address. When the RHI feature is turned on, the advertised VIP address information is the most specific match. The request for the client is sent through the path where it reaches the CSM with active VIP services.

When multiple instances of a VIP address exist, a client router receives the information it needs (availability and hop count) for each instance of a VIP address, allowing it to determine the best available route to that VIP address. The router chooses the path where the CSM is logically closer to the client system.

Note With RHI, you must also configure probes because the CSM determines if it can reach a given VIP address by probing all the real servers that serve its content. After determining if it can reach a VIP address, the CSM shares this availability information with the MSFC. The MSFC, in turn, propagates this VIP availability information to the rest of the intranet.

Understanding How the CSM Determines VIP Availability

For the CSM to determine if a VIP is available, you must configure a probe (HTTP, ICMP, Telnet, TCP, FTP, SMTP, or DNS) and associate it with a server farm. When probes are configured, the CSM performs these checks:

•Probes all real servers on all server farms configured for probing

•Identifies server farms that are reachable (have at least one reachable real server)

•Identifies virtual servers that are reachable (have at least one reachable server farm)

•Identifies VIPs that are reachable (have at least one reachable virtual server)

Understanding Propagation of VIP Availability Information

With RHI, the CSM sends advertise messages to the MSFC containing the available VIP addresses. The MSFC adds an entry in its routing table for each VIP address it receives from the CSM. The routing protocol running on the MSFC sends routing table updates to other routers. When a VIP address becomes unavailable, its route is no longer advertised, the entry times out, and the routing protocol propagates the change.

Note For RHI to work on the CSM, the MSFC in the chassis in which the CSM resides must run Cisco IOS Release 12.1.7(E) or later and must be configured as the client-side router.

Whether to include the operational state of a backup serverfarm into the state of a
virtual server

Name:DEST_UNREACHABLE_MASK Rights:RW

Value:0xffff

Default:65535

Valid values:Integer (0 to 65535)

Description:

Bitmask defining which ICMP destination unreachable codes are to be forwarded

Name:FT_FLOW_REFRESH_INT Rights:RW

Value:60

Default:60

Valid values:Integer (1 to 65535)

Description:

FT slowpath flow refresh interval in seconds

Name:GSLB_LICENSE_KEY Rights:RW

Value:(no valid license)

Default:(no valid license)

Valid values:String (1 to 63 chars)

Description:

License key string to enable GSLB feature

Name:HTTP_CASE_SENSITIVE_MATCHING Rights:RW

Value:1

Default:1

Valid values:Integer (0 to 1)

Description:

Whether the URL (Cookie, Header) matching and sticky to be case sensitive

Name:MAX_PARSE_LEN_MULTIPLIER Rights:RW

Value:1

Default:1

Valid values:Integer (1 to 16)

Description:

Multiply the configured max-parse-len by this amount

Name:NAT_CLIENT_HASH_SOURCE_PORT Rights:RW

Value:0

Default:0

Valid values:Integer (0 to 1)

Description:

Whether to use the source port to pick client NAT IP address

Name:ROUTE_UNKNOWN_FLOW_PKTS Rights:RW

Value:0

Default:0

Valid values:Integer (0 to 1)

Description:

Whether to route non-SYN packets that do not matched any existing flows

Name:NO_RESET_UNIDIRECTIONAL_FLOWS Rights:RW

Value:0

Default:0

Valid values:Integer (0 to 1)

Description:

If set, unidirectional flows will not be reset when timed out

Name:SYN_COOKIE_INTERVAL Rights:RW

Value:3

Default:3

Valid values:Integer (1 to 60)

Description:

The interval, in seconds, at which a new syn-cookie key is generated

Name:SYN_COOKIE_THRESHOLD Rights:RW

Value:5000

Default:5000

Valid values:Integer (0 to 1048576)

Description:

The threshold (in number of pending sessions) at which syn-cookie is engaged

Name:TCP_MSS_OPTION Rights:RW

Value:1460

Default:1460

Valid values:Integer (1 to 65535)

Description:

Maximum Segment Size (MSS) value sent by CSM for L7 processing

Name:TCP_WND_SIZE_OPTION Rights:RW

Value:8192

Default:8192

Valid values:Integer (1 to 65535)

Description:

Window Size value sent by CSM for L7 processing

Name:VSERVER_ICMP_ALWAYS_RESPOND Rights:RW

Value:false

Default:false

Valid values:String (1 to 5 chars)

Description:

If "true" respond to ICMP probes regardless of vserver state

Name:XML_CONFIG_AUTH_TYPE Rights:RW

Value:Basic

Default:Basic

Valid values:String (5 to 6 chars)

Description:

HTTP authentication type for xml-config:Basic or Digest

Configuring Persistent Connections

The CSM allows HTTP connections to be switched based on a URL, cookies, or other fields contained in the HTTP header. Persistent connection support in the CSM allows for each successive HTTP request in a persistent connection to be switched independently. As a new HTTP request arrives, it may be switched to the same server as the prior request, it may be switched to a different server, or it may be reset to the client preventing that request from being completed.

As of software release 2.1(1), the CSM supports HTTP 1.1 persistence. This feature allows browsers to send multiple HTTP requests on a single persistent connection. After a persistent connection is established, the server keeps the connection open for a configurable interval, anticipating that it may receive more requests from the same client. Persistent connections eliminate the overhead involved in establishing a new TCP connection for each request.

HTTP Header Insert

HTTP header insert provides the CSM with the ability to insert information such as the client's IP address into the HTTP header. This feature is particularly useful in situations where the CSM is performing source NAT and the application on the server side still requires visibility to the original source IP.

The CSM can insert the source IP address from the client into the header in the client-to-server direction.

Use the insert protocol http header name header-value value commandto insert information into the HTTP header.

•name—Literal name of the generic field in the HTTP header. Name is a string with a range from 1 to 63 characters.

•value—Specifies the literal header value string to insert in the request.

You can also use the %is and %id special parameters for header values. The %is value inserts the source IP into the HTTP header and the %id value inserts the destination IP into the header. Each special parameter may only be specified once per header map.

Note A header map may contain multiple insert headers. If you insert header values that are made of multiple keywords that includes spaces, you must use double quotes around the entire expression.

When configuring HTTP header insert, you must use a header-map and a policy. You cannot use the default policy for HTTP header insert to work.

This example shows how to specify header fields and values to search upon a request:

Configuring Global Server Load Balancing

This section contains the CSM global server load balancing (GSLB) advanced feature set option and instructions for its use. You should review the terms of the "Software License Agreement" carefully before using the advanced feature set option.

Note By downloading or installing the software, you are consenting to be bound by the license agreement. If you do not agree to all of the terms of this license, then do not download, install, or use the software.

Using the GSLB Advanced Feature Set Option

To enable GSLB, perform this task in privileged mode:

Command

Purpose

Router# config t

Router(config)# mod csm 5

Enters the configuration mode and enters CSM configuration mode for the specific CSM (for example, module 5, as used here).

Router(config-module-csm)# variablenamevalue

Enables GSLB by using the name and value provided as follows:Name= 1Value=

Configuring GSLB

Global Server Load Balancing (GSLB) performs load balancing between multiple, dispersed hosting sites by directing client connections through DNS to different server farms and real servers based on load availability. GSLB is performed using access lists, maps, server farms, and load-balancing algorithms. Table 8-3 provides an overview of what is required for a GSLB configuration on the CSM.

Table 8-3 GSLB Operations

Client Request (From)

Domain (For)

Server farm (To)

Algorithm (Method)

Access lists can be used to filter incoming DNS requests, and policies are used to associate the configured maps, client-groups, and server farms for incoming DNS requests.

A map is configured to specify the domain names that client requests must match. Regular expression syntax is supported.

For example, domain names are cnn.com or yahoo.com that a client request must be matched against. If the domain name matches the specified map of a policy, the primary server farm is queried for a real server to respond to the request.

A server farm specifies a group of real servers where information is located that satisfies the client's request.

The GSLB probe is available for determining the availability of a target real server, using the probe type configured on the real server.

Configuring Network Management

Configuring SNMP Traps for Real Servers

When enabled, an SNMP trap is sent to an external management device each time a real server changes its state (for example, each time a server is taken in or out of service). The trap contains an object identifier (OID) that identifies it as a real-server trap.

Note The real server trap OID is 1.3.6.1.4.1.9.9.161.2

The trap also contains a message describing the reason for the server state change.

Use the snmp-server enable traps slb ft command to enable or disable fault-tolerant traps associated with the SLB function of the Catalyst 6500 series switch. A fault-tolerant trap deals with the fault tolerance aspects of SLB. For example, when fault-tolerant traps are enabled and the SLB device detects a failure in its fault-tolerant peer, it sends an SNMP trap as it transitions from standby to active.

To configure SNMP traps for real servers, perform this task:

Command

Purpose

Step 1

Router (config)# snmp-server
community public

Defines a password-like community string sent with the notification operation. The example string is public.

Step 2

Router (config)# snmp-server
host host-addr

Defines the IP address of an external network management device to which traps are sent.

1The no form of this command disables the SNMP fault-tolerant traps feature.

Configuring the XML Interface

In previous releases, the only method available for configuring the CSM was the Cisco IOS command line interface. With XML, you can configure the CSM using a Document Type Definition or DTD. Refer to "CSM XML Document Type Definition" for a sample of an XML DTD.

These guidelines apply to XML for the CSM:

•Up to five concurrent client connections are allowed.

•The XML configuration is independent of the IP SLB mode with the following exception: the csm_module slot='x' sense='no command does have the desired effect and generates an XML error.

•Pipelined HTTP posts are not supported.

•There is a 30-second timeout for all client communication.

•Bad client credentials cause a message to be sent to the Cisco IOS system log.

•A single CSM can act as proxy for other CSM configuration by specifying a different slot attribute.

When you enable this feature, a network management device may connect to the CSM and send the new configurations to the device. The network management device sends configuration commands to the CSM using the standard HTTP protocol. The new configuration is applied by sending an XML document to the CSM in the data portion of an HTTP POST.

For the XML feature to operate, the network management system must connect to a CSM IP address, not a switch interface IP address.

Because the master copy of the configuration must be stored in Cisco IOS, as it is with the command line interface, when XML configuration requests are received by the CSM, these requests must be sent to the supervisor engine.

Note XML configuration allows a single CSM to act as proxy for all the CSMs in the same switch chassis. For example, an XML page with configuration for one CSM may be successfully posted through a different CSM in the same switch chassis.

The Document Type Description (DTD), now publicly available, is the basis for XML configuration documents you create. (See "CSM XML Document Type Definition.") The XML documents are sent directly to the CSM in HTTP POST requests. To use XML, you must create a minimum configuration on the CSM in advance, using the Cisco IOS command line interface. Refer to the Catalyst 6500 Series Content Switching Module Command Reference for information on the xml-config command.

The response is an XML document mirroring the request with troublesome elements flagged with child-error elements, and with an error code and error string. You can specify which types of errors should be ignored by using an attribute of the root element in the XML document.

There will be an addition to the Cisco IOS command line interface for enabling XML configuration capabilities for a particular CSM interface. Along with the ability to enable and disable the TCP port, security options for client access lists and HTTP authentication are supported.

To configure XML on the CSM, perform this task:

Command

Purpose

Step 1

Router(config-module-csm)# module csmslot

Specifies the module and slot number.

Step 2

Router(config-module-csm)# xml-config

Enables XML on the CSM and enters the XML configuration mode.

Step 3

Router(config-slb-xml)# portport-number

Specifies the TCP port where the CSM HTTP server listens.

Step 4

Router(config-slb-xml)# vlanid

Restricts the CSM HTTP server to accept connections only from the specified VLAN.

Step 5

Router(config-slb-xml)#client-group
[1-99 | name]

Specifies that only connections sourced from an IP address matching a client-group are accepted by the CSM XML configuration interface.

Step 6

Router(config-slb-xml)#credentialsuser-name password

Configures one or more username and password combinations. When one or more credentials commands are specified, the CSM HTTP server authenticates user access using the basic authentication scheme described in RFC 2617.

Step 7

Router# show module csm 4 xml stats

Displays a list of XML statistics.

Note The statistics counters are 32 bit.

This example shows how to run configure XML on the CSM:

Router(config-module-csm)# configure terminal

Router(config-module-csm)# m odule csm 4

Router(config-module-csm)# xml-config

Router(config-slb-xml)# port 23

Router(config-slb-xml)# vlan 200

Router(config-slb-xml)# client-group 60

Router(config-slb-xml)# credentials eric @#$#%%@

Router# show module csm 4 xml stats

When an untolerated XML error occurs, the HTTP response contains a 200 code. The portion of the original XML document with the error is returned with an error element that contains the error type and description.

This example shows an error response to a condition where a virtual server name is missing:

<?xml version="1.0"?>

<config>

<csm_module slot="4">

<vserver>

<error code="0x20">Missing attribute name in element

vserver</error>

</vserver>

</csm_module>

</config>

The error codes returned also correspond to the bits of the error tolerance attribute of the configuration element. The following list contains the returned XML error codes:

XML_ERR_INTERNAL = 0x0001,

XML_ERR_COMM_FAILURE = 0x0002,

XML_ERR_WELLFORMEDNESS = 0x0004,

XML_ERR_ATTR_UNRECOGNIZED = 0x0008,

XML_ERR_ATTR_INVALID = 0x0010,

XML_ERR_ATTR_MISSING = 0x0020,

XML_ERR_ELEM_UNRECOGNIZED = 0x0040,

XML_ERR_ELEM_INVALID = 0x0080,

XML_ERR_ELEM_MISSING = 0x0100,

XML_ERR_ELEM_CONTEXT = 0x0200,

XML_ERR_IOS_PARSER = 0x0400,

XML_ERR_IOS_MODULE_IN_USE = 0x0800,

XML_ERR_IOS_WRONG_MODULE = 0x1000,

XML_ERR_IOS_CONFIG = 0x2000

The default error_tolerance value is 0x48, which corresponds to ignoring unrecognized attributes and elements.

Back-End Encryption

Back-end encryption allows you to create a secure end-to-end environment. In Figure 8-2, the client (7.100.100.1) is connected to switch port 6/47 in access VLAN 7. The server (191.162.2.8) is connected to switch port 10/2 in access VLAN 190.

The SSL proxy VLAN 7 has the following configuration:

•IP address—7.100.100.150

•Static route and gateway:

–Route 191.0.0.0

–Gateway 7.100.100.100

The gateway IP address (the IP address of interface VLAN 7 on the MSFC) is configured so that the client-side traffic that is destined to an unknown network is forwarded to that IP address for further routing to the client.

•Client-side gateway—7.100.100.100 (the IP address of VLAN 7 configured on the MSFC)

You can perform SSL load balancing on the CSM and an SSL Services Module in mixed mode.

The CSM uses SSL-ID sticky functionality to stick SSL connections to the same SSL Services Module. The CSM must terminate the client-side TCP connection in order to inspect the SSL-ID. The CSM must then initiate a TCP connection to the SSL Services Module when a load-balancing decision has been made.

The traffic flow has the CSM passing all traffic received on a virtual server to the SSL Services Module with TCP termination performed on the SSL Services Module. When you enable the SSL sticky function, the connection between the CSM and the SSL Services Module becomes a full TCP connection.

This example shows how to configure mixed-mode SSL load balancing:

Cat6k-2(config-module-csm)# sticky 10 ssl timeout 60

Cat6k-2(config-module-csm)# serverfarm SSLfarm

Cat6k-2(config-slb-sfarm)# real 10.1.0.21 local

Cat6k-2(config-slb-sfarm)# inservice

Cat6k-2(config-slb-sfarm)# real 10.2.0.21

Cat6k-2(config-slb-sfarm)# inservice

Cat6k-2(config-module-csm)# vserver VS1

Cat6k-2(config-slb-vserver)# virtual 10.1.0.21 tcp https

Cat6k-2(config-slb-vserver)# sticky 60 group 10

Cat6k-2(config-slb-vserver)# serverfarm SSLfarm

Cat6k-2(config-slb-vserver)# persistent rebalance

Cat6k-2(config-slb-vserver)# inservice

You must make an internally generated configuration to direct traffic at the SSL Services Module when the CSM must terminate the client-side TCP connection. You must create a virtual server with the same IP address or port of each local real server in the server farm SSLfarm. Internally, this virtual server is configured to direct all traffic that is intended for the virtual server to the SSL Services Module.

You must make an internally generated configuration because the IP address of the local real server and the CSM virtual server address must be the same. When the CSM initiates a connection to this local real server, the SYN frame is both sent and received by the CSM. When the CSM receives the SYN, and the destination IP address or port is the same as the virtual server VS1, the CSM matches VS1 unless a more-specific virtual server is added.

Configuring the Server Side

A standard virtual server configuration is used for Layer 4 and Layer 7 load balancing when the SSL Services Module uses the CSM as the back-end server.

To restrict this virtual server to receive only traffic from the SSL Services Module, use the VLAN local virtual server submode command as follows:

Cat6k-2(config-module-csm)# serverfarm SLBdefaultfarm

Cat6k-2(config-slb-sfarm)# real 10.2.0.20

Cat6k-2(config-slb-sfarm)# inservice

Cat6k-2(config-module-csm)# vserver VS2

Cat6k-2(config-slb-vserver)# virtual 10.2.0.100 tcp www

Cat6k-2(config-slb-vserver)# serverfarm SLBdefaultfarm

Cat6k-2(config-slb-vserver)# vlan local

Cat6k-2(config-slb-vserver)# inservice

You can configure the real server as the bac- end server as shown in this example:

Cat6k-2(config-module-csm)# serverfarm SSLpredictorforward

Cat6k-2(config-slb-sfarm)# predictor forward

Cat6k-2(config-module-csm)# vserver VS3

Cat6k-2(config-slb-vserver)# virtual 0.0.0.0 0.0.0.0 tcp www

Cat6k-2(config-slb-vserver)# serverfarm SSLpredictorforward

Cat6k-2(config-slb-vserver)# inservice

Configuring the CSM as the Back-End

The virtual server and server farm configurations permits you to use real servers as the back-end servers. Use the configuration that is described in the "Configuring the Client Side" section and then configure the SSL daughter card to use the CSM as the back-end server:

Configuring the Real Server as the Back-End Server

The server-side configuration traffic flow with the real server as the back-end server is similar to the client-side configuration. Use the configuration that is described in "Configuring the Client Side" section and then configure the SSL Services Module to use a real server as the back-end server.

No new configuration is required for the SSL Services Module proxy service configuration. This example shows how the configuration is internally initiated and hidden from the user: